rpms/libxslt
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2024-55549 (RHEL-83506)

Browse Source 
Resolves: RHEL-83506
This commit is contained in:
David King 2025-04-04 08:51:12 +01:00
parent e2d5de3a68
commit c402c202d3
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
libxslt-1.1.32-CVE-2024-55549.patch Normal file
View File

@ -0,0 +1,103 @@
From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 21 Mar 2023 12:19:50 +0100
Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush
Found by OSS-Fuzz, see #84.
---
libxslt/xslt.c | 24 ++++++++----------------
1 file changed, 8 insertions(+), 16 deletions(-)
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 7a1ce011..6d4126a1 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
{
int i;
- if (style->exclPrefixMax == 0) {
- style->exclPrefixMax = 4;
- style->exclPrefixTab =
- (xmlChar * *)xmlMalloc(style->exclPrefixMax *
- sizeof(style->exclPrefixTab[0]));
- if (style->exclPrefixTab == NULL) {
- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
- return (-1);
- }
- }
/* do not push duplicates */
for (i = 0;i < style->exclPrefixNr;i++) {
if (xmlStrEqual(style->exclPrefixTab[i], value))
return(-1);
}
if (style->exclPrefixNr >= style->exclPrefixMax) {
- style->exclPrefixMax *= 2;
- style->exclPrefixTab =
- (xmlChar * *)xmlRealloc(style->exclPrefixTab,
- style->exclPrefixMax *
- sizeof(style->exclPrefixTab[0]));
- if (style->exclPrefixTab == NULL) {
+ xmlChar **tmp;
+ size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4;
+
+ tmp = xmlRealloc(style->exclPrefixTab,
+ max * sizeof(style->exclPrefixTab[0]));
+ if (tmp == NULL) {
xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
return (-1);
}
+ style->exclPrefixTab = tmp;
+ style->exclPrefixMax = max;
}
style->exclPrefixTab[style->exclPrefixNr] = value;
style->exclPrefix = value;
--
2.49.0
From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 Dec 2024 12:43:19 +0100
Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces
Definitions of excluded namespaces could be deleted in
xsltParseTemplateContent. Store excluded namespace URIs in the
stylesheet's dictionary instead of referencing the namespace definition.
Thanks to Ivan Fratric for the report!
Fixes #127.
---
libxslt/xslt.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 6d4126a1..11681a13 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
* in case of error
*/
static int
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
{
+ xmlChar *value;
int i;
+ /*
+ * orig can come from a namespace definition on a node which
+ * could be deleted later, for example in xsltParseTemplateContent.
+ * Store the string in stylesheet's dict to avoid use after free.
+ */
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+ if (value == NULL)
+ return(-1);
+
/* do not push duplicates */
for (i = 0;i < style->exclPrefixNr;i++) {
if (xmlStrEqual(style->exclPrefixTab[i], value))
--
2.49.0

7
libxslt.spec
View File

@ -8,7 +8,7 @@
Name: libxslt Name: libxslt
Summary: Library providing the Gnome XSLT engine Summary: Library providing the Gnome XSLT engine
Version: 1.1.32 Version: 1.1.32
Release: 6%{?dist} Release: 6.1%{?dist}
License: MIT License: MIT
URL: http://xmlsoft.org/XSLT URL: http://xmlsoft.org/XSLT
@ -33,6 +33,8 @@ Patch3: libxslt-1.1.32-CVE-2019-18197.patch
Patch4: libxslt-1.1.32-CVE-2019-11068.patch Patch4: libxslt-1.1.32-CVE-2019-11068.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1860467 # https://bugzilla.redhat.com/show_bug.cgi?id=1860467
Patch5: libxslt-1.1.32-unexpected-rvt-flag.patch Patch5: libxslt-1.1.32-unexpected-rvt-flag.patch
# https://issues.redhat.com/browse/RHEL-83506
Patch6: libxslt-1.1.32-CVE-2024-55549.patch
%description %description
This C library allows to transform XML files into other XML files This C library allows to transform XML files into other XML files
@ -137,6 +139,9 @@ rm -vrf %{buildroot}%{_docdir}
%endif # with python2 %endif # with python2
%changelog %changelog
* Fri Apr 04 2025 David King <dking@redhat.com> - 1.1.32-6.1
- Fix CVE-2024-55549 (RHEL-83506)
* Mon Aug 24 2020 David King <dking@redhat.com> - 1.1.32-6 * Mon Aug 24 2020 David King <dking@redhat.com> - 1.1.32-6
- Fix unexpected RVT flag error (#1860467) - Fix unexpected RVT flag error (#1860467)